A similar issue exists that allows someone to kill TCP connections that go through many types of firewalls. If the firewalls involved don't adequately follow the sequence numbers being used in a connection, you can usually indirectly kill the connection by sending a reset packet with correct source/dest IPs and ports but a random sequence number. Many firewalls will see this reset and remove the connection from their state tables, even if the end host discarded this bad reset. If the real source or destination hosts send additional traffic over this connection the firewall will see this as bad traffic and usually send a valid reset to that host, officially killing the connection. The actual firewall behavior will vary depending on the specific firewall but the end result is always that the connection dies. This method also works with FINs in some cases because many firewalls treat FINs in a similar way as resets instead of allowing long term half closed connections. I've personally done this with about 3 different firewalls but I don't see any reason that it wouldn't work with any firewall that doesn't follow sequence numbers for every connection (failover pairs come to mind in particular). Combined with predictable source ports, it makes a fairly decent DoS against hosts going through firewalls to known points. This issue was touched on in one of the Cisco advisories in an indirect and round-about way. Sorry if someone else has brought this up before in a different forum but I don't remember seeing or hearing about it and think it deserves to be mentioned in this thread. -Brian Soby Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
